After upgrading to Debian Buster I can no longer start some services, like memcaced for example. First, I’m running:
root@gra1-vm-01:/etc/apparmor.d# snap list
Name Version Rev Tracking Publisher Notes
core 16-2.39.3 7270 stable canonical✓ core
lxd 3.15 11437 stable canonical✓ -
root@gra1-vm-01:/etc/apparmor.d# uname -a
Linux gra1-vm-01 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64 GNU/Linux
root@gra1-vm-01:/etc/apparmor.d# cat /etc/debian_version
10.0
root@gra1-mgmt-01:~# service memcached status
● memcached.service - memcached daemon
Loaded: loaded (/lib/systemd/system/memcached.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2019-08-12 11:33:26 CEST; 221ms ago
Docs: man:memcached(1)
Process: 12095 ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached.conf (code=exited, status=226/NAMESPACE)
Main PID: 12095 (code=exited, status=226/NAMESPACE)
Aug 12 11:33:26 gra1-mgmt-01 systemd[1]: memcached.service: Service RestartSec=100ms expired, scheduling restart.
Aug 12 11:33:26 gra1-mgmt-01 systemd[1]: memcached.service: Scheduled restart job, restart counter is at 5.
Aug 12 11:33:26 gra1-mgmt-01 systemd[1]: Stopped memcached daemon.
Aug 12 11:33:26 gra1-mgmt-01 systemd[1]: memcached.service: Start request repeated too quickly.
Aug 12 11:33:26 gra1-mgmt-01 systemd[1]: memcached.service: Failed with result 'exit-code'.
Aug 12 11:33:26 gra1-mgmt-01 systemd[1]: Failed to start memcached daemon.
And the vm host dmesg says
[Mon Aug 12 11:36:50 2019] audit: type=1400 audit(1565602610.566:229): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-gra1mgmt01_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/" pid=29953 comm="(-wrapper)" srcname="/" flags="rw, rbind"
[Mon Aug 12 11:36:50 2019] audit: type=1400 audit(1565602610.814:230): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-gra1mgmt01_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/" pid=29956 comm="(-wrapper)" srcname="/" flags="rw, rbind"
[Mon Aug 12 11:36:50 2019] audit: type=1400 audit(1565602611.062:231): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-gra1mgmt01_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/" pid=29959 comm="(-wrapper)" srcname="/" flags="rw, rbind"
I had the same type of errors with mysqld, and I boiled it down to systemd doing some limitations of the software, so I edited memcached.service and commented out some lines that where previously enabled.
# Set up a new file system namespace and mounts private /tmp and /var/tmp
# directories so this service cannot access the global directories and
# other processes cannot access this service's directories.
#PrivateTmp=true
# Mounts the /usr, /boot, and /etc directories read-only for processes
# invoked by this unit.
#ProtectSystem=full
# Ensures that the service process and all its children can never gain new
# privileges
#NoNewPrivileges=true
# Sets up a new /dev namespace for the executed processes and only adds API
# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
#PrivateDevices=true
Is there any ways around this that doesn’t use unprivileged containers or editing systemctl to remove what I understand is there to protect me? I think it has to do with the apparmor profiles and how rw/rbind mounts are limited, but I’m not savy enough to figure out how I can override and allow those.
So what I would like to know is 1) can I modify the snap/lxd apparmor profiles to allow this, or 2) can I modify each container to allow this with "raw.apparmor: mount " somehow, or possibly 3) I have totally misunderstood this and you can point me into the right direction.